Cerber Ransomware Spread by Nemucod in Pseudo-Darkleech Campaign

A pseudo-Darkleech campaign is exposing users to Nemucod malware that in turn downloads Cerber ransomware onto their machines.

Heimdal’s security evangelist Andra Zaharia found the campaign hinges on pseudo-Darkleech infections by which malicious actors compromise WordPress websites and inject code into core WP files. The code displays a malicious iframe to each visitor of that website based upon their IP address usually about once a day or once a week, an evasive technique which makes such infections difficult to detect and remove.

This campaign’s malicious iframe exposes users to familiar face in the malware world, as Zaharia explains in a blog post:

“The malicious script injected into these websites is the notorious Nemucod, the generic malware downloader used to transfer malicious software onto the victims’ computers.”

Nemucod takes on a variety of disguises to trick users. For instance, it masqueraded as a .SVG image file to download Locky ransomware onto unsuspecting Facebook users’ computers as part of a campaign detected in November 2016.

Given Nemucod’s history, it’s no surprise the malware downloader is once again dropping ransomware. In this case, it’s downloading and running Cerber ransomware from two domains that both employ the “.top” top-level domain (TLD): doomgamesoa [.] Top / read.php? F = 0.dat and http: //www.astrosean [.] Top / admin.php? F = 1.dat.

Anyone who suffers a Cerber ransomware infection can expect to receive a ransom demand of at least 1,000 USD. No one wants to pay out that kind of money unexpectedly, and they certainly don’t want to do so in support of computer criminals’ dishonest deeds.

So what’s to be done?

Users need to make sure they protect themselves against this campaign and others like it by implementing security updates on a timely basis, by installing an anti-virus solution onto their computers, and by keeping multiple backups of their critical data.